Skip to content

ascon: update formulas and check for API compatibility#406

Merged
armfazh merged 2 commits intocloudflare:mainfrom
armfazh:asconCte
Feb 21, 2023
Merged

ascon: update formulas and check for API compatibility#406
armfazh merged 2 commits intocloudflare:mainfrom
armfazh:asconCte

Conversation

@armfazh
Copy link
Contributor

@armfazh armfazh commented Feb 21, 2023
edited
Loading

  • Updating code points for Modes.
  • Check the cipher.AEAD interface works as expected.
  • The interface allows to reuse the plaintext to store the ciphertext.

@armfazh armfazh added the tests Include new tests on the code label Feb 21, 2023
@armfazh armfazh requested review from bwesterb and cjpatton February 21, 2023 20:44
@armfazh armfazh self-assigned this Feb 21, 2023
bwesterb
bwesterb approved these changes Feb 21, 2023
View reviewed changes
Copy link
Member

@bwesterb bwesterb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One little nit.

cipher/ascon/ascon.go
// more resistance against a quantum adversary using Grover’s algorithm for
// key search. Since Ascon-128 and Ascon-80pq share the same building blocks
// and same parameters except the size of the key, it is claimed the same
// security for Ascon-80pq against classical attacks as for Ascon-128.
Copy link
Member

@bwesterb bwesterb Feb 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't Ascon80pq provide 160b of classical security?

Copy link
Member

@bwesterb bwesterb Feb 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's good to add although Ascon-128 already reaches approximately NIST level 1 post-quantum security.

Copy link
Contributor Author

@armfazh armfazh Feb 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@meichlseder can give us more details.

Copy link

@meichlseder meichlseder Feb 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The text is correct, we don't claim 160 bits of classical security for Ascon-80pq.
Several parts of Ascon are scaled for 128-bit security (with data limit 2^64), including the sponge capacity, tag size, permutation distinguisher bounds, etc., thus the common 128-bit security claim for all variants.
Depending on your precise definition of b-bit security and additional constraints besides offline time complexity (data limits including number of encryption/decryption queries, misuse settings, etc), ymmv.

@armfazh armfazh merged commit eb5ff89 into cloudflare:main Feb 21, 2023
@armfazh armfazh deleted the asconCte branch February 21, 2023 22:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bwesterb bwesterb bwesterb approved these changes

@cjpatton cjpatton Awaiting requested review from cjpatton

+1 more reviewer

@meichlseder meichlseder meichlseder left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@armfazh armfazh

Labels

tests Include new tests on the code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@armfazh @bwesterb @meichlseder